Advertisers are pressuring the site to let them see if their ads are working.

Facebook is now using a data company to connect ad displays on the site to in-store purchases, according to an article by the Financial Times. The company, called Datalogix, owns data culled from loyalty programs like the CVS ExtraCare card or the Stop and Shop card. The information includes items like names, e-mail addresses, and purchase history which it can now use to connect to Facebook accounts and target ads.

Facebook ads, like most ads throughout documented history, previously could not always prove that they work. There was no way to connect their display with actual purchases outside direct click-throughs. (Said Facebook advertisers: "What is this, the magazine publishing industry circa 1982?") According to the Financial Times, Facebook faces "growing pressure" to help advertisers track and target current and potential customers more tightly, so it will user Datalogix's database with information from 70 million people and 1,000 retailers to step up its game.

In a statement provided to Ars, a Facebook spokesperson wrote that "Facebook doesn't get data that retailers give Datalogix; retailers don't get any data from Facebook; nor do advertisers share any of their data with Facebook or vice versa." Between Facebook and Datalogix, though, Facebook shares "anonymous IDs corresponding to consumers exposed to a given ad campaign."

Hence, Datalogix does not receive personally identifying information. But by comparing its purchase records and loyalty information (names, e-mail addresses) from partner companies like CVS to ad campaigns served to your (anonymized) profile, the company can get a pretty good idea of what you're about. At least, what you're about when perusing a pharmacy shelf, if advertising can be presumed to work on you (and Facebook ads do appear to work fairly well).

Marc Rotenberg, president of the Electronic Privacy Information Center, noted to Ars that DoubleClick experienced a similar situation in 1999 when it bought the catalog firm Abacus. DoubleClick insisted no personal information would be obtained from the acquisition, but once everyone realized it would be difficult to ignore certain correlations between data sets, the company had to backtrack.

It's unclear whether Facebook's move complies with the consent order it filed with the FTC in 2011 promising that future privacy changes and information sharing would be "opt-in" only. The new sharing arrangement with Datalogix is certainly not opt-in; as The Atlanticpoints out, Facebook users must opt out of the Datalogix interactions. They can navigate through a few different help pages, click on an unhelpful-sounding link to "learn more about the [Facebook] partners and the choices they offer," then can click an opt-out link.

Facebook's arrangement with Datalogix does technically comply with the company's promise in its data use policy to anonymize user data before sharing it with third parties. But given the avalanche of information Datalogix has to cross-reference, you'll be about as anonymous as Jay-Z wearing sunglasses when walking to the grocery store.

The FTC has yet to comment on the matter, or whether it runs afoul of the consent order. "It is critically important for the FTC to look closely at this proposal and to determine whether the company is complying with the terms of the settlement," Rotenberg told Ars.

Casey Johnston
Casey Johnston is the former Culture Editor at Ars Technica, and now does the occasional freelance story. She graduated from Columbia University with a degree in Applied Physics. Twitter@caseyjohnston

37 Reader Comments

Wow...I'm torn. I don't like advertisers and I don't really like Facebook--the only value I get out of it is posting pictures of my kid for the grandparents--but I do understand the value of what they're doing. On second thought, I just realized why I don't use "reward" cards. My wife on the other hand...

I always use Jenny's number at places that utilize cards like CVS - <your area code>-867-5309. Never once have had it fail, and on more than one occasion have even gotten discounts (pretty certain I'm amongst a horde using that number xD).

It's also nice knowing that you're screwing up some giant corporations dossier on you or someone else. E.g. I like to share my other cards with friends (:< (whomever usually gives you a few key fobs and a card or two).

"I" am useless alone. Now, me combined with the history of my purchases, income, spending history, and anything I "Like" on Facebook is highly valuable to people looking to hawk their goods in my direction.

I do find it suspect that people continue to expect that Facebook is on their side and wants to help them keep their personal information private. Facebook is a company, like any other, that leverages what it possesses to make money and pay dividends to the shareholders. As VideoGameTech implies, you and your data are in a position to make Facebook quite a bit of cash.

I'm not even going to bother stringing together an argument that includes the words "Facebook" and "privacy".

I did want to comment about CVS ExtraCare. I get loyalty programs such as those at grocery stores. But drug stores seem like they are crossing a line. Everything sold under prescription is protected by fairly stringent privacy laws, meant to protect information about your health from misuse. But buy the same products over the counter and there are no protections whatsoever; CVS is free to track your off-prescription purchases of remedies for any health condition and sell that information to anyone they like. How does that make sense?

Basically anything you get for free is either selling your attention (e.g. Google, Facebook), has a paid 'premium' service that isn't as crippled as the free version or has a hidden cost that you'll pay later.

I always use Jenny's number at places that utilize cards like CVS - <your area code>-867-5309. Never once have had it fail, and on more than one occasion have even gotten discounts (pretty certain I'm amongst a horde using that number xD).

...until you use your bank card for payment. Then you're no longer anonymous.

Your strategy only works if you pay cash. I'm not bashing you, just saying.

This is why we tell advertisers to use promotions and time-limited stuff like coupons. Want to track? That'll help. But at the same time, it doesn't account for "I see you, I don't need you now." Advertising is a constant thing, not fire and forget unless you're doing something big and ridiculously good, in my experience.

The thing they (CVS, in this example) don't get is the same thing Amazon doesn't understand. Just because I browse weird stuff on Amazon doesn't mean I'm any closer to buying. And yet "other people have bought" the same crap I was browsing earlier. Oh really?

Sounds like in the future you buy a pack of chewing gum at CVS and eventually your FB will show gum ads, because "you're a chewing gum buyer." Ooh, sophisticated!

But by comparing its purchase records and loyalty information (names, e-mail addresses) from partner companies like CVS to ad campaigns served to your (anonymized) profile, the company can get a pretty good idea of what you're about.

I'm feeling a bit dumb here, possibly missing something obvious. How could they link the loyalty card account to a Facebook ad viewer, if they don't receive any identifying information from Facebook?

I'm feeling a bit dumb here, possibly missing something obvious. How could they link the loyalty card account to a Facebook ad viewer, if they don't receive any identifying information from Facebook?

Telephone number, emails.. etc.

Quote:

Datalogix has purchasing data from about 70m American households largely drawn from loyalty cards and programmes at more than 1,000 retailers, including grocers and drug stores. By matching email addresses or other identifying information associated with those cards against emails or information used to establish Facebook accounts, Datalogix can track whether people bought a product in a store after seeing an ad on Facebook.

But by comparing its purchase records and loyalty information (names, e-mail addresses) from partner companies like CVS to ad campaigns served to your (anonymized) profile, the company can get a pretty good idea of what you're about.

I'm feeling a bit dumb here, possibly missing something obvious. How could they link the loyalty card account to a Facebook ad viewer, if they don't receive any identifying information from Facebook?

It's correlating data. With added data points, the correlated data sets converge upon a unique identification. This has already been proven to work on the Internet via collected tracking cookie data. Anonymity on the Internet is a rare event. There are kewl methods of trickery, like hiding your IP address behind the layered proxy servers of the Tor project while removing all possibilities of 'Super Cookie' surveillance in your web browser. But even then, 'Ve Have Vays of spying on you!'

You know, I once got called out on these forums for making a statement like that. I had said something along the lines of being in the tech field for quite a long time, had watched privacy trends erode ever further, thus leading to my desire not to jump on the 'Social Media' bandwagon. If others wanted to, that's fine, but I stated I suspected most of the population had no idea that they might be dumping information out there they might later regret, and as VideoGameTech and others pointed out before, they 'were' the product. Some hate followed after that. Not so much lately it seems as more and more people grasp this concept.

zunipus wrote:

It's correlating data. With added data points, the correlated data sets converge upon a unique identification. This has already been proven to work on the Internet via collected tracking cookie data. Anonymity on the Internet is a rare event. There are kewl methods of trickery, like hiding your IP address behind the layered proxy servers of the Tor project while removing all possibilities of 'Super Cookie' surveillance in your web browser. But even then, 'Ve Have Vays of spying on you!'

I will admit to using loyalty cards because the "regular" prices are frequently ridiculous at our closest grocer, particularly on produce that's in season, and there's no real alternative where I live. But I use a made up phone number that happens to work at Kroger-owned groceries, and probably others.

This will get more creepy once credit cards get involved. I'll wager that Bank of America will be first with a Facebook card.

"I" am useless alone. Now, me combined with the history of my purchases, income, spending history, and anything I "Like" on Facebook is highly valuable to people looking to hawk their goods in my direction.

I do find it suspect that people continue to expect that Facebook is on their side and wants to help them keep their personal information private. Facebook is a company, like any other, that leverages what it possesses to make money and pay dividends to the shareholders. As VideoGameTech implies, you and your data are in a position to make Facebook quite a bit of cash.

Cheers!-Adam

Well, between AdBlock, Ghostery, Beef Taco, and no Script I have 99.9% of all ads/user-tracking blocked. For the other .1% there's a nice Grease Monkey script for Facebook that keeps every ad off your page.

" Your browser fingerprint appears to be unique among the 2,428,194 tested so far.Currently, we estimate that your browser has a fingerprint that conveys at least 21.21 bits of identifying information."

I always use Jenny's number at places that utilize cards like CVS - <your area code>-867-5309. Never once have had it fail, and on more than one occasion have even gotten discounts (pretty certain I'm amongst a horde using that number xD).

...until you use your bank card for payment. Then you're no longer anonymous.

Your strategy only works if you pay cash. I'm not bashing you, just saying.

/does the same ;-)

Do pre-paid cards link back to your identity? I suppose you probably lose some of your purchase protection that a credit card might offer.

I will admit to using loyalty cards because the "regular" prices are frequently ridiculous at our closest grocer, particularly on produce that's in season, and there's no real alternative where I live. But I use a made up phone number that happens to work at Kroger-owned groceries, and probably others.

This will get more creepy once credit cards get involved. I'll wager that Bank of America will be first with a Facebook card.

" Your browser fingerprint appears to be unique among the 2,428,194 tested so far.Currently, we estimate that your browser has a fingerprint that conveys at least 21.21 bits of identifying information."

Well, between AdBlock, Ghostery, Beef Taco, and no Script I have 99.9% of all ads/user-tracking blocked. For the other .1% there's a nice Grease Monkey script for Facebook that keeps every ad off your page.

That script might keep the ads off your page when viewing Facebook, but it's not stopping the sharing of your data going on between the scenes between Facebook and other companies.

Well, between AdBlock, Ghostery, Beef Taco, and no Script I have 99.9% of all ads/user-tracking blocked. For the other .1% there's a nice Grease Monkey script for Facebook that keeps every ad off your page.

That script might keep the ads off your page when viewing Facebook, but it's not stopping the sharing of your data going on between the scenes between Facebook and other companies.

Which is why I also use ghostery, beef taco, adblock, and other plugins to stop sites from creating cookies and retrieving information. I've only whitelisted a few sites like Ars that don't abuse the data and present ads in a tasteful unobtrusive manner.

" Your browser fingerprint appears to be unique among the 2,428,194 tested so far.Currently, we estimate that your browser has a fingerprint that conveys at least 21.21 bits of identifying information."

You are using I.E. 9

Mine FireFox 15.0.1 with Ghostery and Adblock: Your browser fingerprint appears to be unique among the 2,428,242 tested so far.

Currently, we estimate that your browser has a fingerprint that conveys at least 21.21 bits of identifying information.

You know, I posted my original link above in order to contribute to the thread, to show how easy it is to identify if not a person but at least someone's computers configuration though browser identification, but it's disturbing me more and more as the day goes on. Given an IP (lets say in the case of torrents) this could identify the computer behind a NAT firewall. FUuuuuuuuu... now I'm going to have to ponder this.

You know, I posted my original link above in order to contribute to the thread, to show how easy it is to identify if not a person but at least someone's computers configuration though browser identification, but it's disturbing me more and more as the day goes on. Given an IP (lets say in the case of torrents) this could identify the computer behind a NAT firewall. FUuuuuuuuu... now I'm going to have to ponder this.

Normally I use Opera, but after reading more I found an add-on for Firefox (NoScript) that pre-emptively manages JavaScript. This add-on alone improved FF's fingerprint scores by several points. Simply turning off JavaScript in any other browser would probably reduce the score to the same level. Now if I could only reign in Adobe Flash without killing it as I should.....

present score using FF:Within our dataset of several million visitors, only one in 46,702 browsers have the same fingerprint as yours.Currently, we estimate that your browser has a fingerprint that conveys 15.51 bits of identifying information.-----------------------Still; according to the EFF's browser-uniquness.pdf document- paragraph 2.2:it takes no more than 15-20 bits to uniquely identify a browser.

Hence, Datalogix does not receive personally identifying information. But by comparing its purchase records and loyalty information (names, e-mail addresses) from partner companies like CVS to ad campaigns served to your (anonymized) profile, the company can get a pretty good idea of what you're about.

I don't understand. If Facebook isn't giving any information that can be used to identify me to Datalogix, how is Datalogix correlating information it gets from stores to my Facebook profile?

In the United States, e-mail addresses are not considered PII. Phone numbers are, I believe.

deckeda wrote:"Sounds like in the future you buy a pack of chewing gum at CVS and eventually your FB will show gum ads, because "you're a chewing gum buyer." Ooh, sophisticated! "

Retail analytics are far more sophisticated than this. There was a very interesting article about how Target determined that they could successfully target ads--and drive statistically noticeable revenue increases--by correlating product purchases. Buying tummy lotion now? 6 months from now we should advertise diapers and baby formula. They actually got into some trouble because they sent a coupon book full of baby stuff to a teenage girl, much to the ire of her father. Turns out her buying patterns indicated the truth: she was indeed pregnant (the father apparently called back to apologize). Since then Target has deliberately seeded targeted advertisements with non sequitur products. If they send you a targeted ad for diapers, they seed in gardening tools (or whatever) just to be less creepy.

There was no way to connect their display with actual purchases outside direct click-throughs

Not true. You just put a "coupon code" or some other unique identifier on the FB ad, and require that code to redeem the coupon. The same exact way they determine how effective mailers, magazine ads, paid TV spots, etc. are. That's the REAL purpose of the "special discount offer code!" you hear them mention- it tells them where you saw the ad.

There are also statistical methods to track sales trends in relation to the time period the ads ran, while not as accurate you can still often get a pretty good idea which ad campaigns are working and which are not.